[ https://issues.apache.org/jira/browse/CB-7183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15054075#comment-15054075 ]
ASF GitHub Bot commented on CB-7183: ------------------------------------ GitHub user bso-intel opened a pull request: https://github.com/apache/cordova-lib/pull/355 Cb 7183 CB-7183 security check for the scriptSrc property of the engine tag. The other src and target-dir path escape checks are already implemented in cordova-lib/src/plugman/platforms/common.js/copyFile() function. The only missing security check is in the scriptSrc of the <engine> tag. You can merge this pull request into a Git repository by running: $ git pull https://github.com/bso-intel/cordova-lib CB-7183 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cordova-lib/pull/355.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #355 ---- commit 5fd5d275cd13ebe9eb3b7c86b71988cdcdfa4cf8 Author: Byoungro So <byoungro...@intel.com> Date: 2015-12-10T03:43:46Z CB-7183 prevent read/write/modify files outside project from plugins commit c03534aafc218923327ae7921eb75669927625d4 Author: Byoungro So <byoungro...@intel.com> Date: 2015-12-12T05:48:03Z CB-7183 security check for engine scriptSrc tag ---- > Prevent plugins from modifying files outside of the project > ----------------------------------------------------------- > > Key: CB-7183 > URL: https://issues.apache.org/jira/browse/CB-7183 > Project: Apache Cordova > Issue Type: Bug > Components: CordovaLib > Reporter: Andrew Grieve > Assignee: Byoungro So > > Right now this is possible: > {code} > <source-file src="src/someScript.js" > target-dir="../../../../../hooks/pre_package"/> > {code} > We should ensure that plugins are not able to touch files outside of the > project directory! -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org